While some botherders have opted for the arguably much safer P2P architecture in order to assure their botnets' resilience, others are still clinging to the standard distributed C&C option.

Among the latter are the masters of the Cutwail / Pushdo botnet, one of the most long-lived ones around, and their decision must be working well for them as despite several past takedown attempts it is still going strong.

Of course, such a C&C architecture requires a set of tricks to be used so that suspicious network traffic to and from the zombie computers isn't easily detected, and Trend Micro researchers have shared some of them:

Combining C&C communication with normal traffic - the latest variants of the malware are made to send out numerous HTTP requests, and among them are those to the C&C servers - often multiple ones, and not necessarily all for fetching the configuration file, which can ultimately lead to small DDoS attacks

Wielding an encrypted list of 200 domains, but trying to contact only 20 randomly chosen ones at a specific time.

Using legitimate but compromised big and small domains as C&C servers, so that sending requests to them passes under the radar.

Using a domain generation algorithm (DGA) in order to rotate C&C servers to keep one or more steps ahead the security industry.

"Pushdo in particular uses calendar date as the seed in its DGA and generates 30 domains for each day. It tries to connect to not only domains for a given day, but also all domains generated from days between 30 days earlier and 15 days latter. In other words, it may try to connect to 1380 domains each day," the researchers pointed out, adding that this feature can be challenging for behavior and sandboxing analysis.

"Using sandboxing analysis without reverse engineering the malware and figuring its DGA may not be enough to block C&C communication, as the malware generates different domains for each day."

The days of file-signature detection are over, they say, and AV companies must use a number of alternative approaches to detection, such as sandboxes, deep analysis, reputation services, and more.

Spotlight

By working with the DevOps team, you can ensure that the production environment is more predictable, auditable and more secure than before. The key is to integrate your security requirements into the DevOps pipeline.

A critical vulnerability in ANTlabs InnGate devices, a popular Internet gateway for visitor-based networks and commonly installed in hotels and convention centers, has been discovered. The flaw could allow an attacker to monitor or tamper with traffic to and from any hotel WiFi user's connection.

In this interview, Raj Samani, VP and CTO EMEA at Intel Security, talks about successful information security strategies aimed at the critical infrastructure, government challenges, the role of regulation, and more.